2

Based on the Chrome settings here - https://www.chromium.org/updates/same-site/test-debug that where basically turned on in Chrome (and pretty much every other major browser) users that work with me can no longer get content iframed from a different domain.

I get the security - not knocking it. But we are running off of three domains right now and I would like to whitelist - as safe - the other domains so they can play in iframes. Is there a way to whitelist URLs to deem as safe for samesite cookie orientation?

blankip
  • 206
  • 1
  • 6
  • 15

1 Answers1

2

Your problem may be that of Cross-origin resource sharing, defined as:

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

As you control the source websites, the web-servers will need to add to their response the Access-Control-Allow-Origin header, as described in the W3C standard Access Control for Cross-Site Requests.

Specifically for Chrome, you may be able as a stop-gap measure to use the following extensions:

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • you are right that it is a CORS issue. So there isn't a way to define a whitelist natively inside of Chrome or to the registry? I am wondering of the acceptability of a chrome (any browser) plugin security-wise. Is there vetting via google or chromium project? On a side note these plugins seem all over the place with reviews. I would prefer to script and send out changes via AD profile but I guess I could send down a plugin too. (if security team oks it) – blankip Apr 10 '21 at 18:30
  • 1
    Is it possible to add the `Access-Control-Allow-Origin` header to the three domains? – harrymc Apr 10 '21 at 19:00